Page MenuHomePhabricator

tools-mail: check SPF of sender before forwarding email
Open, LowPublic

Description

I got two e-mails, headers:

Return-Path: <no-reply@tools.wmflabs.org>
Received: from mail.tools.wmflabs.org ([208.80.155.162]) by ***
 (***) with ESMTPS (Nemesis) id 0Lj04k-1ahbTk48ha-00dGID for
 <***>; Thu, 03 Dec 2015 10:06:39 +0100
Received: from [112.79.35.108/27.3.192.172]
        by mail.tools.wmflabs.org with esmtp (Exim 4.76)
        (envelope-from <no-reply@tools.wmflabs.org>)
        id 1a4PqU-0004C2-DR
        for gifti@tools.wmflabs.org; Thu, 03 Dec 2015 09:06:36/09:36:44 +0000
From: <no-reply@tools.wmflabs.org>
To: <gifti@tools.wmflabs.org>
Subject: Scanned image from MX-2600N
Date: Thu, 03 Dec 2015 14:36:20 +0530
Message-ID: <201512036317/201512034325.NOREPLY@tools.wmflabs.org>
MIME-Version: 1.0
Content-Type: multipart/mixed;
        boundary="----=_NextPart_000_7054_01D06642.8A15BEE0"
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: Ac9zfUYGCX85GfHLR2eFV/vn3hBULA==

content:

Reply to: no-reply@tools.wmflabs.org> <no-reply@tools.wmflabs.org>>
Device Name: Not Set
Device Model: MX-2600N
Location: Not Set

File Format: DOC MMR(G4)
Resolution: 200dpi x 200dpi

Attached file is scanned image in DOC format.
Use Microsoft(R)Word(R) of Microsoft Systems Incorporated
to view the document.

Event Timeline

Giftpflanze raised the priority of this task from to Needs Triage.
Giftpflanze updated the task description. (Show Details)
Giftpflanze added a project: Toolforge.
Giftpflanze added a subscriber: Giftpflanze.
Restricted Application added a project: Cloud-Services. · View Herald TranscriptDec 3 2015, 12:38 PM
Restricted Application added subscribers: StudiesWorld, Aklapper. · View Herald Transcript

This e-mail indeed passed through the tool labs mailserver. In principle, this is OK (we are supposed to forward mails to gifti@tools.wmflabs.org to you), but we should obviously not accept mails 'from: <something>@tools.wmflabs.org' from a third party. Apparently we don't check SPF records ourselves...? :/

see https://github.com/Exim/exim/wiki/SPF and /etc/exim4/conf.d/acl/30_exim4-config_check_rcpt

chasemp triaged this task as Low priority.Dec 3 2015, 2:21 PM
chasemp set Security to None.
coren added a subscriber: coren.Dec 3 2015, 2:44 PM

It's not as clearcut as that - you'd expect people receiving email to their *@tools.wmflabs.org addresses to be able to reply with that same address as From:; so it's not immediately clear that such emails should "obviously" not be accepted.

Email headers are not authenticated and cannot be; the best one can do is attempt to reduce obvious outliers and minimize spam and phishing and while using SPF to score spam is good, using it to reject email entirely is rarely a very good idea (as yahoo demonstrates with its horrid false positive rejections).

scfc added a subscriber: scfc.Dec 3 2015, 3:20 PM

I think people using tools.wmflabs.org as their domain for outgoing mails should use the proper mail server (which is tricky, but doable if you really want to), so I don't have any problem with publishing (hard) SPF records for tools.wmflabs.org.

But for incoming mails the situation is made worse by us currently forwarding mails without address rewriting, i. e. a mail from someone@somewhere to scfc@tools.wmflabs.org causes the Tools mail server to claim to my mail server that it is the legitimate sender for somewhere. So as long as we are not conservative in sending mails out, we should be liberal in accepting mails, not least so that we don't shoot ourselves in the foot :-).

valhallasw added a comment.EditedDec 3 2015, 3:26 PM

you'd expect people receiving email to their *@tools.wmflabs.org addresses to be able to reply with that same address as From

that doesn't work, actually, because we publish an SPF record:

  • from: valhallasw@gmail.com to marc@tools.wmflabs.org via smtp.gmail.com works (smtp.gmail.com is allowed to send mails from gmail.com)
  • from: valhallasw@tools.wmflabs.org to marc@tools.wmflabs.org via smtp.gmail.com works (tools.wmflabs.org doesn't check SPF, so accepts smtp.gmail.com as source)
  • from: valhallasw@tools.wmflabs.org to marc@otherdomain.org via smtp.gmail.com fails (smtp.gmail.com is not allowed to send mails from tools.wmflabs.org)
  • from: valhallasw@tools.wmflabs.org to marc@otherdomain.org via mail.tools.wmflabs.org fails (relay denied)

while using SPF to score spam is good, using it to reject email entirely is rarely a very good idea (as yahoo demonstrates with its horrid false positive rejections).

Iirc the issues with Yahoo are related to DMARC, not to SPF. We should add an envelope-from to our emails, though: T120225: correctly envelope forwarded email

valhallasw renamed this task from Weird e-mails from tool labs to tools-mail: check SPF of sender before forwarding email.May 27 2016, 12:22 PM
valhallasw moved this task from Triage to Backlog on the Toolforge board.